Naavi.org

FDPPI conducted an event in Bengaluru on July 27 to discuss the proposed draft of the DPDPA Rules which were earlier shared with select parties for comments. MeitY is now in the process of releasing another version for the public for comments. In the meantime FDPPI held the event so that some comments can be sent to MeitY for incorporation in the immediate next version. The event was attended by over 100 professionals most of them physically and contributed to the discussions. Invitations had been sent to MeitY also and we believe that there were observers from MeitY in the virtual meeting.

The participants were presented with 5 panel discussions and three key notes and were also asked to share their views through a google form. Though not all of them have yet filled up the google form, the responses received indicate the trend which we are sharing here.

We are now sharing the same form publicly so that any body including those who did not attend the event can contribute their views. To submit your views you may need to refer to the draft rules at www.dpdpa.in/dpdpa_rules/ . The Act itself is easily available at www.dpdpa.in

There are some professionals who would not like to comment since the draft rules discussed are not branded as “Official”. It is their choice to wait for the next version or raise their voice now itself with the rest of the industry so that the next version itself can incorporate some of these views.

Some of the interesting observations so far received are as below.

Out of the 40 questions shared, the following questions got 100% yes response.

Q2: Was it necessary to notify the definition of Significant Data Fiduciary?

Q31.  Should Courts introduce a system of listing legal guardianship certificates issued for mentally disabled persons?

Q32.  Should UIDAI introduce an age gating service?…clearing a person is not a minor?

Q33.  Should UIDAI provide a certificate that the person providing consent for the minor is  the legal guardian 

Q39.  Can Aadhar Based “Age Pass” be a solution for Age gating?

It was interesting to note one question which received a 100% “No” response . It was ..

Q38.  Is SEBI mediation platform for dispute resolution the acceptable  choice?

Following questions received 80% Yes Response namely..

Q3.  Is it necessary to specifically call out a category of “Joint Data Fiduciary” as a class of processors?

Q5.  Is it necessary to indicate whether “Subsidiaries” need a separate DPO? or a “Group DPO” would be acceptable? 

Q8.  Should purpose oriented consent be “Process Based”?

Q10.  Can Aadhaar data collection to be restricted by rule to Virtual Aadhaar only even for voluntary submission of data

Q14.   Is Legitimate use  meant to  be used only under very special circumstances?

Q16. Should the Consent Manager be a trusted representative of the Data Principal who based on certain pre-approved rules release the consent in his representative capacity?

Q19.  Should Consent Managers be allowed to sub contract any of their services ?

Q20. Should there be a minimum period before which the Consent Manager cannot close down his business?

Q24.  Should there be simultaneous reporting  of a personal data breach to Data Principal?

Q25.  Should there be simultaneous reporting of a personal data breach to CERT IN

Q26.  Is 72 hours for detailed data breach sufficient?

There was one question which elicited a 80% “No” response, namely..

Q40.  Should Journalists be excluded from Consent and Obligation for protecting the Rights of data principals?

Those of you who want to participate in this Global Survey may access the form and send their views right now in the following link.

https://docs.google.com/forms/d/1IOEgE0bywmrEBENsGI1FFNmwAX8Q7XaDkZvlGRqGqo4/edit?ts=66a362c4

In case responses are received today, they will be added in the collation and sent to MeitY as the “Voice of the Data Protection Professionals”. We will also try to discuss this further for different sectors in the SIGs and keep a continuous watch.

Naavi

In continuation of our post of yesterday on Consent Manager, we would like to point out that the “Personal Data Breach Notification Rule” as contained in the draft rules also requires a re-look before the next version of draft rules are released. Some of our observations are as follows.

We refer to Rule 7 of the draft rule copy of which is available at www.dpdpa.in/dpdpa_rules for this purpose. This rule refers to intimation of personal data breach. The Rule prescribes a two stage reporting one to be made immediately on being aware of the personal data breach and the other within 72 hours with more details. It is noted that the rules donot make any mention of the Data Breach rules notified under ITA 2000 by the CERT IN. (Refer: https://cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf).

It is necessary to recognize that every personal data breach involving loss or damage to data is also a data breach under ITA 2000 and is reportable under CERT IN guidelines even after the repealing of Section 43A. Consequences of non reporting could be initiation of criminal proceedings for imprisonment upto 1 year and fine of Rs 1 crore.

Hence clarity should be brought in about  need to copy the data breach report to CERT IN. There should be a process where the DPB and CERT IN work in harmony dealing with the breach report.

In case DPB would like to exercise its right of investigation into the causes of a data breach, it would require additional technical investigation capabilities to be built up. On the other hand, CERT In already has the necessary expertise with a team of scientists and can also have access the CERT IN auditors.

There is a need to recognize that DPB would be more interested in identifying non compliance of law which may affect the rights of the data principal and hence would like to track even such personal data breaches which donot result in exfiltration of data that causes irreversible damage to the data principal. On the other hand CERT IN is more interested in prevention of Cyber Crimes and hence focussed on data breaches involving exfiltration/loss/damage of personal data.

Hence there is a need for a re-look at this rule and a simultaneous change in the CERT IN rules related to data breach.

Further, it is necessary to recognize that organizations monitoring security incidents diligently do observe several instances of whistle blowing reports which if confirmed may become breaches but could also turn out to be false.

The draft rule under DPDPA currently requires the report to be submitted “Forthwith”. This will force the organizations to either report all intrusion alerts captured by their systems as data breaches or ignore the provision. While companies may classify such intrusion alerts as not amounting to data breach, there is still a requirement to give some time to organizations to determine if an internal data breach alert is really a data breach or a false alarm. Hence such observations should be termed as “Provisional” at the time of reporting. The confirmed report filed within 72 hours may be called “Personal Data Breach Report”.

Hence there is a need to recognize three categories of personal data breaches namely

1. Provisional Data Breach
2. Data Breach not resulting in loss of data
3. Data Breaches resulting in loss/damage of data

The rules should treat these differently in terms of reporting, mitigation and penalisation.

Since CERT IN has an infrastructure to provide technical guidance of remediation, there is no need to duplicate the efforts at DPB. Regulatory investigation of technical nature if required should be left to CERT IN and adopted by DPB before going in for determination of penalties.

CERT In has its own powers of quasi judicial nature which is more powerful than the powers of DPB. Hence co-ordination of the two entities is essential to prevent confusion in the industry. For  this purpose, a “DPB-CERT IN Data Breach notification and investigation policy” should be announced which may specify a time bound completion of investigation and a non overlapping ruling on penalties. (Similar arrangements can also be worked out with RBI/IDDAI/SEBI)

Alternatively, changes should be notified under ITA 2000 stating CERT IN would refrain from investigating such cases which are taken up for investigation by the DPB under DPDPA 2023.

Wishing away the powers of CERT In may require amendment of ITA 2000 and is not feasible in the short run.

Hence CERT-IN and DPB need to build a method of working together without conflict and this should be done concurrently with the passage of DPDPA Rules.

We also suggest that the “Provisional Data Breach Notification” need not be sent to data principals and the complete notification is posted prominently on the website. The data principals may be sent an email notification but the possibility of many not being reached is high. Hence the website notification should be considered as sufficient notification unless DPB or CERT In specifically instructs individual notifications.

Comments welcome.

Naavi

One of the key provisions of DPDPA is the introduction of the concept of a “Consent Manager” who could represent the data principal for a better protection of his privacy.

According to Section 6 of DPDPA 2023,

The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager, shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed and every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.

Accordingly, the DPDPA Rules address the requirements of how a Consent Manager may be registered under DPDPA 2023 and what are his functional requirements. Since there is already a term “Consent Manager” under the DEPA architecture proposed by MeitY in another context and used in the Account Aggregator scheme of RBI, we need to distinguish that Consent Manager as “CM-DEPA” and refer to the Consent Manager under DPPDA 2023 as “CM-DPDPA” or simply the “CM”.

Naavi.org has been, since the days when PDPB 2019 introduced the term “Consent Manager” and has been consistently projecting it as a very innovative thought. The introduction of a specialist as a Consent Manager who could act as an expert to decipher the request for permissions and assisting the data principal was a master stroke which could enable overcoming of the multiple issues such as “Consent Fatigue”. “Lack of Privacy Appreciation in the society”, “Language barriers”, as well as the difficulty in deciphering the permissions to overcome dark pattern or misleading notices.

We donot know if this was just a follow up of the DEPA Framework or a deliberately introduced feature that could make the Indian law stand out in the world as an innovative legislation. It could have been an accident but a beneficial accident that the concept was introduced in Section 21 of PDPB 2019 stating

“The data principal, for exercising any right under this Chapter, except the right under section 20,(ed: Right to be forgotten) shall make a request in writing to the data fiduciary either directly or through a consent manager with the necessary information as regard to his identity, and the data fiduciary shall acknowledge the receipt of such request within such period as may be specified by regulations”.

“The data principal may give or withdraw his consent to the data fiduciary through a consent manager.” and , a “consent manager” is a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform. (Section 23 of PDPB 2019).”

The same provisions prevailed in the Data Protection Bill 2021 and are now reflected in DPDPA 2023.

The interpretation provided by Naavi.org that CM-DPDPA is different from CM-DEPA and is having better utility than merely being a software platform was therefore a tribute to the innovative thought of some body in MeitY who drafted the PDPB 2019 whether they had similar intentions or otherwise.

The Rules now under discussion seems to have however ignored the potential of “Consent Manager” as a special kind of data fiduciary who could act as a “Power of Attorney Holder” of a Data Principal or a Trustee of his/her personal data. The rules have relegated the role of CM as a “Software Platform”. This is a classic case of a diamond in the hand being thrown away as just another piece of black charcoal.

The Rule 5 of the draft rule that we now have for discussion that indicates the present thinking of Meity (Check https://www.dpdpa.in/dpdpa_rules/) suggests inter-alia the following provisions which we feel requires a re-look

1. Not specifying that the definition of a foreign company should go beyond mere “Constitution outside India”

2. Stating that every consent manager shall establish …a platform that enables a data principal to give, manage, review and withdraw her consent to herself obtain her personal data from a data fiduciary or to ensure that such personal details shared with another data fiduciary of her choice, without the consent manager being in a position to access that personal data

3. Specifying that the Consent Manager shall  not sub-contract or assign the performance of any of its obligations as a consent manager

4. Specifying that the Board may suspend or cancel the registration without specifying how the interests of the data principals are protected.

5. Not specifying prohibition of data transfer outside India.

For the reasons specified below we request the MeitY to reconsider these provisions.

Consent Manager under DPDPA and DEPA

It is recommended that the definition of Consent Manager under DPPDA 2023 should be distinguished from the definition of Consent Manager under the Account aggregator scheme.

At present MeitY seems to be constrained by its own DEPA architecture where Consent Manager (CM-DEPA) was a technology platform and meant for the limited purpose of data users like portfolio managers etc requesting for consent for financial management purpose and such requests were forwarded to data givers like Banks who could provide the information. This served the purpose of relieving the service user from filling up long forms including assets and liabilities, KYC information etc besides demographic information. RBI applied this system in the account aggregator scheme. These use cases are a single purpose usage and not meant for repeated use.

The Consents under DPDPA 2023 are for multiple purposes, required repeatedly for different sets of data elements by different types of data fiduciaries. It includes the financial service providers such as account aggregators as well as Amazon or Zomato type of data fiduciaries who may require one set of data for clearance of payments and another limited set for logistics management etc.

The CM-DEPA system envisages that every consent request is received from a data fiduciary to the data principal during the subscription of a service is referred to the consent manager who again refers it to the data principal, receives the consent and then communicate the  information to the data fiduciary. What data has to be shared remains the decision of the data principal and he is required to look through the permission request understand the permission requirement and then approve. For every purchase from Amazon and for every order of food from Zomato, separate notice and consent is required and this process of referring to the CM-DEPA needs to be followed.

In the ordinary course, a data principal goes to a data fiduciary service site and receives the notice which he may click for acceptance. The data goes directly from the data principal to data fiduciary as part of the order.

In the CM-DEPA scheme, there is also a necessity for the CM-DEPA to check the identity of the Data Principal whose request is coming from a third party.

In this process the CM-DEPA does not have any visibility of the data and as long as the platform is suitably configured, data flows in and out like an ISP. It is therefore an “Intermediary” under ITA 2000.

The CM-DPDPA was not conceived to be the replica of this CM-DEPA since it was necessary to address problems such as the Consent Fatigue, the Language barrier and technology understanding barrier in providing consent.

The CM-DPDPA was therefore considered as a person who can represent the data principal with the data fiduciary for not only providing the consent on demand but also for withdrawal of consent or raising any grievance. Hence CM-DPDPA was conceived as a “Trustee of the Data Principal” and not as a simple ISP type intermediary.

CM-DPDPA could therefore have visibility to personal data, he could filter the data for delivery to a particular purpose and challenge the permissions with his superior technical and language capability to avoid dark patterns or misleading permission requests.  He could use anonymization and pseudonymisation if required and deliver only such data as is required for a purpose.

For example, amazon order placement team would get the financial information which is normally shared with the payment gateway but may not obtain the demographic or locational data (unless they justify the requirement for appropriate reasons). The amazon or Zomato delivery team would only get the information about the delivery address and not the other details which they can share it with any logistic company. This serves the purpose wise data minimization requirement.

In such a system, the data principal is relieved of the need to check the permissions and understand and be satisfied that a particular data element requested is reasonably required for the purpose or not.

If the concept of CM-DPDPA is merged with CM-DEPA, this  advantage would be given up.

The Consent Manager provision in DPDPA 2023 was innovative and like the “Copyright Society” in Copyright law could be considered as an instrument through which Privacy Culture can be built up in the Country and data principals could be helped in protecting their privacy against business which is driven by their profit motive.

We feel that this great opportunity should not be missed. Hence a review of Section 5 as suggested.  

Even this system requires the “Fit and Proper Criteria” and hence many of the current provisions are relevant.

However Rule 3(a) needs to be modified to remove the words “Without the consent manager being in a position to access the personal data”

In as much as every “Significant Data Fiduciary” is allowed to sub-contract their work with responsibility, the need to prevent “Consent Manager” from sub-contracting can be reviewed.

On the other hand, it may be specified that every  Data Processor of a Consent Manager would be deemed to be a Significant Data Fiduciary himself.

It shall be made mandatory that when a Consent Manager needs to exit or is suspended or services cancelled, the service shall be ported to another licensed Consent Manager so that the data principal is not inconvenienced. Alternatively a time of upto 1 year should be provided for the data principals to switchover to another consent manager of his choice.

The rules prescribe that CM-DPPDA shall be a company but not a “Foreign Company”.

P.S: As per Companies Act

(42) ―foreign company means any company or body corporate incorporated outside India which— (a) has a place of business in India whether by itself or through an agent, physically or through electronic mode; and (b) conducts any business activity in India in any other manner.

This definition is restricted to “Incorporation outside India” and is not sufficient to prevent data laundering. “Data” is a sovereign asset and it has to be protected from being stolen or surreptitiously laundered. Hence the definition of “Foreign  Company” should be expanded to include any foreign or non resident share holding that exceeds 10% or controlling interest that exceeds 33% of the members of the Board.

If the Consent Manager is only a platform and every consent has to be approved by the Data Principal, the very purpose of the consent manager to relieve the consent fatigue and difficulty in understanding the permission requirements is defeated. The CM should therefore be more like a “Power of attorney holder” who can take some decisions on his own without disturbing the data principal.

It is also suggested that the rules  should prescribe that Consent manager shall not store personal data abroad.

We request the MeitY to consider this suggestion before they release the final version of the draft.

We also request professionals to comment on the above.

Naavi

DPDPA 2023 has introduced a concept of “Nomination” of personal data. The Act defines “Nomination” as a right of a data principal and relates it to the “Personal Data”.

Section 14 of the Act states:

 Right to nominate.

(1) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder.

(2) For the purposes of this section, the expression “incapacity” means inability to exercise the rights of the Data Principal under the provisions of this Act or the rules made thereunder due to unsoundness of mind or infirmity of body

Though “Nomination” as a word has not been defined in the Act or in the draft rules published so far, it is clear that the section 14 of the Act considers “Nomination” as a right that transfers the control on other rights such as “Right to Access”, “Right to Correction and erasure”, and “Right to Grievance Redressal” to the nominee. Perhaps we should consider that the “Right to nomination” also gets transferred to the nominee.

In this context we can debate what is the “Right to Nominate”, “How it can be executed in respect of personal data” and “What processes are to be introduced by the Data Fiduciary for registration of nomination and settlement of claim”. We have discussed some aspects of this earlier and now we shall discuss one offshoot of Nomination namely the property rights on Meta Data.

It is interesting at this stage to recognize the difference between a “Nominee” and a “Power of Attorney Holder” or a “Personal Consent Manager”.

Power of attorney or appointing a consent manager is an act of “Contract” and operates during the lifetime of an individual. However this should be considered as automatically revoked on the death of a person. On the other hand, the rights of a Nominee actually takes birth on the death of the data principal.

The introduction of the “Nomination” aspect in the Data Protection law has now introduced two specific Jurisprudential issues.

Firstly if there are some rights that survive the death of a person on some aspect, then that aspect takes the nature of a “Property” on which the data principal had rights prior to his death.

Thus, if DPDPA 2023 grants the four rights to a living individual about “Personal Data” meaning “Data about the individual who is identifiable by or in relation to such data”, all these rights are meant to be nominated to another individual in the contingent event of the death or incapacitation of the data principal. In other words the “Nominee” inherits all the four rights including the right to nominate the inherited personal data.

This has unintentionally also provided a status of a “Property” for personal data. If “Personal Data” is a property for “Nomination”, it should be so for any other purpose such as “Sale” or “Transfer”.

However, “Nomination” in tangible property scenario is normally considered as not a “Right” but an “Obligation” assigned to a person to receive the property on death and ensure its distribution to the legal heirs. The “Executor” of a “Will” is one such person nominated in the Will by the deceased person.

The need for “Nomination” is brought in to make it convenient for the asset holder to get rid of the responsibility of the asset which he is holding during the lifetime of an individual to the nominee. We therefore consider that the “Asset holder” is discharged from his liabilities by transferring the property to the nominee.

In the case of a physical property, the property transferred to the nominee ceases to be in the hands of the transferor. But the nature of data is such that even after transferring the property to the nominee, a copy will remain with the transferor. Hence “Transfer of Data to the Nominee” also involves “Deletion of Data by the Transferor”. In the DPDPA scenario, the rules should define whether the data transferred to the nominee should be immediately deleted by the data fiduciary or archived for a reasonable period.

There is a second jurisprudential challenge on the nomination which is related to the “Instrument of Nomination”. ITA 2000 does not recognize an electronic document that acts like a Will, transferring the rights of a property on the death of a person. Hence the most natural way of executing the nomination which is adding it as a part of the “Consent” in electronic form appears to be not feasible.

This means that we have to re-define the meaning of “Nomination” as restricted to “Transfer of the custody of the personal data from the Data Fiduciary who is permitted to make commercial use of the data to another Datta Fiduciary who is permitted to use it only for distribution to the legal heirs and not for exploitation himself.

If therefore the First Data Fiduciary offers to the nominee that the benefits of the data principal (say an account) will be transferred to him if he allows the continued to use the personal data, it may not be legally proper for him to accept it and continue to be the manager of the personal data of the deceased. (This situation may arise if the personal data has value even after the death of a person).

If Personal Data can be considered as an “Asset” whether it is intangible or only a licensable right, that can be “nominated” on death through an instrument, then the question of “who can nominate” the property also has to be settled.

If personal data is a property of the data principal, then obviously he is the person who has to nominate.

However there is one type of data that arises in the context of processing of personal data which relates to “Data about Data”. Eg: Transaction data in a E Commerce transaction or a Header information generated by a messaging service like WhatsApp or G Mail but is generated by the Data Fiduciary.

This meta data may also be identifiable with the individual but whether the ownership is to be assigned to the person or to the data fiduciary is a legal issue which needs to be settled.

This meta data is a combination of two parts namely information is generated by the data fiduciary and information contributed by the data principal. Hence it cannot be treated entirely as the property of the data principal and eligible for nomination and absolute transfer of property. The part contributed by the data fiduciary is his property and the mix of identifiable personal data of the individual, should be considered as “Jointly owned”.

The consequences of identifying “Meta Data” as joint property has other deeper implications of law that will be explored in future. For the time being let us leave it as a Privacy Jurisprudential thought.

One such consequence is when a disclosure of Meta Data is required whether the data fiduciary who is also an “Intermediary” under ITA 2000 can disclose without specific consent, the whole of Meta Data or only the part of Meta data that is created by him. Should the “Consent artifact” include a statement that Right on Meta Data is considered as jointly owned or singularly owned by the data fiduciary.

All these issues need to be discussed and clarified in the rules to DPDPA 2023. But the draft of the rules so far made available does not have this explanation. Hope it would be added in the next version.

Comments and Debate are welcome.

Naavi

FDPPI and Naavi thanks all the physical and virtual participants of the event held yesterday at Bangalore. Special thanks to the panellists for sharing their valuable views. It was a hybrid event with the physical event happening at Suchitra Auditorium, Bengaluru.

Chief Additional Metropolitan Magistrate Sri C.K. Veeresh Kumar inaugurated the event and shared important suggestions for the effective functioning of the Dispute Resolution Mechanism under DPDPA/ITA 2000. Professor N K Goyal and Mr Rakesh Maheshwari (former Senior Director of MeitY) participated in the inaugural session (virtually).

Sri Rakesh Maheshwari gave a brief overview of the DPPDA Act and the proposed rules.

Naavi anchored the five panel discussions posing nearly 100 different questions to highlight the concerns related to the implementation of the proposed rules and the industry experts a few of whom participated virtually shared their views. In the process important insights have been gathered and are being collated.

All the participants have also been requested to present their views on the presently available rules and the suggestions will be collated and submitted to the MeitY.

Naavi

DPDPA will change the course of every company in India. The Rules are here for public debate. Use this opportunity to share your views . We all would be helping MeitY with our suggestions.

Register today at : www.fdppi.in

Naavi